Migration to new server, will we hit rate limits?

We have a Windows 2012 R2 server running IIS and plan to move over to a Windows 2022 server with IIS. Now, our old server is running the Win-Acme utility to create Let's Encrypt certificates for known site bindings and our new server will run that util too. Works perfectly in both cases.

Now, our old server will be shut off and the new server will be assigned the IP address of the old server. Instead of moving/migrating all the current Let's Encrypt certificates from the old server to the new server, I was planning to just create a batch file on the new server creating all new certificates. That works great with the Win-Acme IIS plugin (I have tested the procedure with a new domain name). As far as I can see, it totals about 165 certificates (not 165 domain names but certificates). Will we run into rate limiting problems or other problems if I create all new certificates instead of migrating and then renewing them?

These are our main (and most important) domain names and the command lines in the batch file to issue new certificates (please note that these are unique web sites):

D:\letsencryptv227\wacs.exe --source iis --siteid 2 --host app.domain.nl --installation iis
D:\letsencryptv227\wacs.exe --source iis --siteid 3 --host go.domain.nl --installation iis
D:\letsencryptv227\wacs.exe --source iis --siteid 3 --host go1.domain.nl --installation iis
D:\letsencryptv227\wacs.exe --source iis --siteid 5 --host new.domain.nl --installation iis
D:\letsencryptv227\wacs.exe --source iis --siteid 6 --host xml.domain.nl --installation iis
D:\letsencryptv227\wacs.exe --source iis --siteid 7 --host dev.domain.nl --installation iis
D:\letsencryptv227\wacs.exe --source iis --siteid 8 --host domain.nl,www.domain.nl --installation iis

There are 150 lines like the one below (all unique domain names) for the same site (id 8):
D:\letsencryptv227\wacs.exe --source iis --siteid 8 --host customer1.nl,www.customer1.nl --installation iis

Will this work without problems? I really don't want to discover that the above is impossible when the old server is shut off and the new one needs to be running not too long after that.

Thanks!

Yes, if you are creating certificates for 50 subdomains of the same domain then you will hit the Certificates Per Registered Domain limit: Rate Limits - Let's Encrypt

You should instead either:

• export your PFX for each certificate out of the windows certificate store and re-import them then update your site https bindings for each site (UseSNI enabled, hostname set, IP All Unassigned) to point to the correct certificate
• following the win-acme suggesting migration process: win-acme this involves decrypting config in advance and I would also assume you still have to import all the certificates (PFX files) and ensure that the private keys are accessible and working.

Whichever approach you use you will need to test repeatedly before going into production.

Thanks! But we are not creating certificates for 50 subdomains of the same domain. Apart from the examples I showed there are 150 lines to generate certificates like this:

D:\letsencryptv227\wacs.exe --source iis --siteid 8 --host customer2.nl,www.customer2.nl --installation iis
D:\letsencryptv227\wacs.exe --source iis --siteid 8 --host customer3.nl,www.customer3.nl --installation iis
D:\letsencryptv227\wacs.exe --source iis --siteid 8 --host customer4.nl,www.customer4.nl --installation iis

So they're all separate domains (2 bindings per domain).

etc.

Will that hit the rate limit in any way if I create those new certificates at the same time?

Ok, sounds good. Let's Encrypt rate limits are 300 orders per 3 hrs, so you should be fine.

If a problem occurs through I'd obviously recommend having a backup plan, including either exporting importing and binding your existing certificates or reverting to your old server.

Perfect, thank you for the response! Of course, reverting to our old server is always possible (it's a VPS with easy and quick restore of snapshots)

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.